Expressions of Expertness The Virtuous Circle of Natural Language for Access Control Policy SpecificationWhat do we mean by “Expressions of Expertness”?Access control and authorizationThe Context of this research: PERMISRole Based Access ControlOvercoming conceptual difficulties: existing approachesOur approach: Controlled natural language based on an ontologyCarrying out our approachSlide 9Evaluation: can users express their real world intentions?Overall resultsThe underlying mechanism makes itself feltWhat do they need to know? How can they know it?Review and conclusionsSlide 15Slide 16Slide 17Slide 18Symposium On Usable Privacy and SecurityCarnegie Mellon University 25 July 2008Expressions of ExpertnessThe Virtuous Circle of NaturalLanguage for Access Control Policy SpecificationPhilip InglesantM Angela Sasse - University College LondonDavid ChadwickLei Lei Shi - University of Kent, Canterbury, UKSOUPS 2008 Page 2 of 14What do we mean by “Expressions of Expertness”?Need: Non-security specialists to express access control in formal termsBut struggle to express this in formal terms which the computer can interpret•They are experts concerning their own resources: they know who should be given access to what to do which action•Only the user knows what they “really want”Grid computing – similar to cluster computing – linked computers working togetherSystems can be distributed geographicallyAcross administrative domainsSOUPS 2008 Page 3 of 14Access control and authorization•“Access control is the ability topermit or deny the use of a particular resourceby a particular entity” - Wikipedia•AuthZ is more important than AuthN but has been studied less•Authorization is inherently complex but, for usability, “complexity is the enemy of success” - Karat Brodie & Karat 2005SOUPS 2008 Page 4 of 14The Context of this research: PERMISPERMIS is an integrated AuthZ infrastructureOpen sourceWorks with Grid, Apache Web servers, .Net, and others•PERMIS makes access control decisions …•… as defined by your access control policies•… written in XMLSOUPS 2008 Page 5 of 14Role Based Access ControlRBAC permissions are always positivePermissions to do actions on resources are assigned to roles, not usersAssignment of Roles to Users by Administrators in (remote) Domains→RBAC model presents conceptual difficulties Policy specificationUser assignmentUsers Roles PermissionsActionsResourcesPermission assignmentPERMIS allows you to delegate the ability to assign roles to Role/Attribute AdministratorsDelegated assignmentRBAC permissions are always positive, although there can be constraints. Permissions not granted are implicitly denied – “Deny all, except …”SOUPS 2008 Page 6 of 14Overcoming conceptual difficulties: existing approaches•PERMIS Editor: GUI-based approach–Conceptual Design - metaphors to match users’ mental models–Prominent warning: “this is DENY ALL, EXCEPT”•Controlled natural language approaches–Fundamentally – reduce distance between user’s intentions  their expression–SPARCLE – for privacy and other policies–Virtuous Circle – input and output of AuthZ policiesSOUPS 2008 Page 7 of 14Our approach: Controlled natural language based on an ontologyPermissions, actions, resources, roles, & other entities, and relations between themUser’s worldComputer’s worldRequests and responses between user and computerControlled natural language may be more “natural” and less ambiguous than full natural languageX.509_PMI_RBAC_Policy OID=".091007.1"> ....The user does not have to know about the computer’s worldSOUPS 2008 Page 8 of 14Carrying out our approach•Phase 1: Interviews and focus groups–45+ Resource owners in Grid computing–How do they think about their AuthZ requirements?–How do they express them?•Phase 2: Design of ontology and controlled language processing–From findings of Phase 1–Keep it open but above all easy–Basic building blocks – users construct policies according to their needsSOUPS 2008 Page 9 of 14ExamplePrint is an action.Printers are a type of resource.Printer has print.HP Laserjet 1 is a printer.Manager and staff are roles.Manager is superior to staff.Staff can print on HP Laserjet 1.Manager can print on all printers.David and John are administrators.David can assign manager to all users.John can assign staff to users from DepartmentCS.read is an action.write is an action.records are a type of resource.records has read and write.name, dobs, addresses, postcodes are a resource.analyst and clerk are roles.analysts can read from dob and postcode.…SOUPS 2008 Page 10 of 14Evaluation: can users express their real world intentions? •Lab-based observations: 17 target users•Neutral or application-specific scenarios•Recorded and analysed for time and number of tries, classes of problem and comments→How usable is the basic interface? Are users daunted by the blank screen?→Can users understand the building blocks and use them to construct workable policies?SOUPS 2008 Page 11 of 14Overall results•Not daunted by controlled natural language interface•Time and tries are higher than we would like:–mean 24:27 minutes in 4.47 tries•Largely overcomes conceptual difficulties–No tendency to “deny” access to resourcesBut: •Problems with features of controlled natural language•Difficulties constructing from the “building blocks”SOUPS 2008 Page 12 of 14The underlying mechanism makes itself felt→Underlying model does not match the users’ expectation →What do they need to know? How can we overcome the problems?•Not quite natural language–Having to declare elements–Prepositions after verbs•Using the building blocks–classes and instancesClerks, Owners and Analysts are roles.Name, DoB, Address and Postcode are resources.Clerks can write to Name, DoB, Address and Postcode.Owners can read all fields.Address is a type of resource.… instead ofField is a type of resource.Address is a field.Printers are a type of resource.HP Laserjet 1 is a printer.fromSOUPS 2008 Page 13 of 14What do they need to know? How can they know it?•More informative timely feedback–Line by line parsing–Don’t silently fix problems – only the user knows what they “really want”–Drop-down boxes to disambiguate•2-way street between GUI and controlled language–An integrated interfaceSOUPS 2008 Page 14 of 14Review and conclusions•Need: expression of formal AuthZ by